Tuesday, January 24, 2017

The Patriot Act Is Changing. Here's What That Means for Your Privacy

The Patriot Act Is Changing. Here's What That Means for Your Privacy

This week, certain key sections of the notorious Patriot Act—the law that gives the NSA its snooping powers—automatically expired. Don’t get too excited just yet, though: they’re probably coming back with a few changes. Here’s what we know, and what it means for your privacy.

What Happened to the Patriot Act?

You might have heard in the news that “the Patriot Act is expiring.” This isn’t technically true. The Patriot Act, as a whole, is still in effect. There are a lot of parts that are not controversial (or at least, not as controversial) and they will remain in place. However, certain provisions that give the NSA authority to spy on both Americans and foreigners were set to expire. At midnight on Monday, that finally happened. They’re probably going to return, but one thing at a time. Here’s what the provisions in question entail:

Section 215: Bulk metadata collection:

This section is the one that allegedly allows the NSA to collect metadata for every phone call made to and from the U.S. in bulk, even if the U.S. citizens involved are not part of an investigation. It’s worth pointing out that a U.S. Court of Appeals has already ruled that this program exceeds the scope of what the Patriot Act authorizes, but it has not yet ordered the program shut down, because Congress was debating the program at the time anyway.

Unidentified roving wiretaps:

A lesser known program, Section 206 authorizes the NSA to receive permission from secretive FISA courts—courts that are not accessible to the public which grant warrants for surveillance—allowing them to wiretap any communication method that a suspect may use to communicate. If a target throws away a burner phone, the NSA could tap a different line without needing a new warrant. Worse yet, the NSA would not need to identify the name of the target.

Lone wolf warrants:

This particular provision allows the NSA to receive warrants from FISA courts for electronic surveillance of a suspect without showing that the person is connected to any known terrorist group or foreign power. It’s worth mentioning that this particular provision has reportedly never been used, indicating that it’s reasonable to let it expire for practical reasons as well as privacy ones.

All of these provisions (as well as many others) have been set to expire multiple times over the last decade, but Congress and the President(s) have ultimately decided to extend the programs repeatedly until now. While some in Congress have tried to prevent reauthorization or tweak the law, all those attempts have failed. This time around, for the first time Congress has allowed the above provisions to expire, which means the opposition is getting somewhere. They’ll likely be back, but with a few key limitations.

Those limitations came in the form of the USA FREEDOM Act, a bill with an acronym so silly it sounds like Marvel made it up. In its current form, the bill makes some important changes to the Patriot Act, but most privacy groups such as the EFF and the ACLU don’t think it’s enough. Here are some of the key changes:

The government can’t collect bulk phone records, but corporations can:

Rather than allowing the government to collect huge swaths of phone record data, the USA FREEDOM Act would offload the process to the companies that manage that data. The government can then request information provided they choose a specific “selector”, like a person’s name. This means the government itself wouldn’t have the data, but corporations like Verizon and AT&T would still be required to have a database the government could access when it needed to. Which, depending on how easily the government can access that data may be a distinction without a difference.

The public would have an advocate at FISA court hearings:

The one thing stopping the NSA from getting to your data (like the kind phone companies would now be required to hold) are the FISA courts. In the past, FISA court hearings were typically held behind closed doors with no opposing arguments, no appeals, and virtually no oversight. Under the USA FREEDOM Act, whenever the NSA needs to ask these courts for permission to do something, there would be a public advocate there to argue in favor of protecting your data. Of course, that still leaves some problems like who appoints this advocate, but it’s also better than what exists now.

New accountability tools would help Americans know what’s going on:

In addition to having a public advocate at FISA court hearings, the new bill would require the government to publish the results of significant decisions. This means that the public would get to know how some of these tools are being used and what the justification is. Additionally, the bill would require the government to publish statistics about the usage of surveillance programs. However, there is still the possibility that the results of the FISA court hearings would be withheld for “national security reasons”, which is the same problem we have now.

Depending on where you fall on the privacy vs. security spectrum, these changes can sound good or bad. They would still allow the government to access your phone metadata records, but would change how it’s implemented. As legal expert Amie Stepanovich explained to Vox, even this limited approach could still result in the government getting data on millions of non-targets. This bill would also see the return of the roving wiretap and lone wolf provisions, completely unchanged. We’d also possibly see a bit more accountability, but not nearly as much as privacy advocates like the EFF or the ACLU would like.

The USA FREEDOM Act is currently up for debate in the Senate where, if approved, it will go to the President’s desk to be signed into law. Until the Senate votes on the bill, though, it’s still possible that changes could be made. This means that it’s also possible for you to call your senators and voice your concerns and support (or lack thereof).

What Could Happen Now

As it stands right now, the House has approved this version of the USA FREEDOM Act, which means it’s just waiting on approval from the Senate. On May 23rd, the Senate voted against the bill at the urging of Senate Majority Leader Mitch McConnell. McConnell has, up until this point, wanted a clean renewal of the existing Patriot Act provisions, without modifications. Without his support, neither the Patriot Act renewal, nor the USA FREEDOM Act could pass.

However, on Sunday, May 31st, during a special session of Senate, McConnell chose to support the USA FREEDOM Act, rather than allow the Patriot Act provisions to expire entirely. With this renewed support, the Senate was able to vote to move forward on it, which means that it will either be passed, or at the very least the Senate will debate any improvements they want to make before passage.

Due to procedural rules, however, the Senate couldn’t vote to pass it on Sunday. That delay is what resulted in the lapse of the provisions mentioned above—in other words, the Senate didn’t want to let them expire. They just waited too long to save them. It is likely, though, that the Senate will vote to pass the USA FREEDOM Act in some form or another. That vote could happen as early as today if the Senate wants to hurry. It could also incorporate any number of changes, depending on how the negotiations play out. We won’t know for sure how things will change until the bill passes, but it seems unlikely at this point that all of the expired provisions will stay expired.

Update:

As expected, the Senate passed the USA FREEDOM Act with a vote of 67-32. The Senate could not agree to add any amendments, so the bill will go to the President for signing unaltered. That means the return of Section 215 (in the hands of the phone operators, rather than the NSA directly), as well as the changes to the FISA court system will be implemented.

What Isn’t Changing at All

Regardless of what happens with the USA FREEDOM Act, the provisions being debated right now are not the entire package. The NSA still has a number of authorities to monitor or collect data. Which isn’t necessarily a bad thing! The NSA’s job is to monitor potential threats to the United States. The difference between domestic and foreign surveillance is a complex one, but suffice to say that unwarranted surveillance of US citizens, and unnecessary surveillance of foreign nations probably isn’t going to make anyone sleep well at night.

That being said, there are still some problematic provisions that aren’t even part of this debate. Chief among them is Section 702. This section became famous when we first learned about NSA programs like PRISM that allow the collection of internet communications. 702 authorizes the collection of internet communications that have at least one destination outside the United States. This means that, for example, if a U.S. citizen sends a message to someone overseas, that data could be collected and stored in the NSA’s databases.

Worse yet, Section 702 does not require that those destinations be a person or even intentional. As an example, Google tends to transfer data between its data centers in complex ways. Sometimes, your data may travel outside the borders of the United States, even though both the sender and recipient of those messages are within the US. In those cases, the NSA may have the authority to require tech companies to hand over that data.

A number of programs like PRISM, MYSTIC, and the NSA’s upstream data collection are authorized (or, at the very least, the NSA claims they are authorized) by Section 702. That means these programs are still in effect until or unless Congress does something to end them. Given that the USA FREEDOM Act—which has virtually no effect on Section 702—is the only bill with any major support in Congress right now, it’s unlikely another NSA-related bill will pop up anytime soon.

What You Can Do

The Senate will likely be voting on this debate very soon, so if you want to call your senators and urge them one way or another, now is the time. Passage of the USA FREEDOM Act would mean that some unpopular powers would return to the NSA, along with some much-needed accountability rules would be in place.

Failure to pass it, on the other hand, would mean that Congress would have to start from scratch if it wants to reform the NSA or bring back any expired powers. With the Presidential and Congressional elections looming, giving the NSA any new powers would be a politically risky strategy. Of course, that may also make it harder to pass any necessary reforms.

Unfortunately, there isn’t a clear answer one way or the other right now. However, for the last decade or so, Congress has universally agreed to renew all of the Patriot Act’s provisions without any amendments or changes at all. The fact that these provisions have lapsed at all means that you have a golden opportunity to make your voice heard.